Police-issued body cameras have become ubiquitous tools for recording law enforcement encounters, yet a recent investigation has uncovered troubling design choices in a budget-friendly system that compromise both privacy and data integrity.
The Viidure mobile application, designed to transfer video evidence from the camera’s onboard Wi-Fi hotspot to cloud servers, was found to communicate over a nonstandard TLS port, directing sensitive information to servers based in China.
This behavior raises significant concerns for departments relying on these devices to produce court-admissible evidence.
Initial traffic captures revealed that the mobile app establishes TLS connections to app-api.lufengzhe.com:9091, alongside geolocation API calls to api.map.baidu.com:443 and loc.map.baidu.com:443.
.webp "Police Body Camera Apps Sending Data to Cloud Servers Hosted in China Via TLS Port 9091 3")
Whois queries confirmed that the primary endpoint at 115.175.147.124 is owned by Huawei International Pte. Ltd. and originates from a Chinese network block.
The use of port 9091—uncommon for HTTPS traffic—signals an attempt to obscure routine data flows, potentially evading network-based monitoring tools.
Brown Fine Security analysts noted that the app’s reliance on improperly validated server certificates enabled a straightforward man-in-the-middle (MitM) attack.
By injecting forged certificates via a custom mitmrouter setup, researchers were able to intercept plaintext HTTP exchanges within the TLS tunnel.
Such misconfigurations not only expose metadata like IMEI numbers and usernames but also threaten the confidentiality of recorded video streams.
.webp "Police Body Camera Apps Sending Data to Cloud Servers Hosted in China Via TLS Port 9091 4")
Beyond mere metadata, the intercepted payloads include device identifiers and application version details.
The following snippet illustrates the HTTP POST request captured during the MitM session:-
POST /iot/api/v1/version/check HTTP/1.1
Host: app-api.lufengzhe.com:9091
Content-Type: application/json
srapi_imei: 17562212185897060
srapi_time: 1757047550015
{
"data": [
{
"model": "6zhentan_android",
"version": "v2.7.1.250712",
"imei": "17562212185897060"
}
],
"username": ""
} Infection Mechanism and Data Exfiltration
The Viidure application does not self-install malware but functions as an inadvertent exfiltration vector due to its insecure communications design.
Upon pairing with the camera’s hotspot, the app automatically initiates background data uploads without user notification.
TLS connections to the Chinese endpoint are established immediately, transmitting identifying information alongside any captured media metadata.
The use of port 9091 appears deliberate, likely to bypass conventional TLS inspection rules that focus on ports 443 and 8443.
Persistence of this behavior stems from the application’s versioning system. Every time the app checks for updates—triggered at startup and periodically during use—it reaffirms the connection to the malicious endpoint.
Without rigorous certificate validation or user consent dialogs, departmental networks may remain unaware of routine data streams exiting to unauthorized servers.
Security teams should prioritize network segmentation and deep packet inspection rules that include nonstandard ports to detect and disrupt similar data flows.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
